program analysis and verification spring 2015 program analysis and verification lecture 12: abstract...

Spring 2015Program Analysis and Verification

Lecture 12: Abstract Interpretation IV

Roman ManevichBen-Gurion University

2

הוראה סקר

באימייל • מופץאנונימי•

3

Syllabus

Semantics

NaturalSemantics

Structural semantics

AxiomaticVerification

StaticAnalysis

AutomatingHoare Logic

Control Flow Graphs

Equation Systems

CollectingSemantics

AbstractInterpretation fundamentals

Lattices

Fixed-Points

Chaotic Iteration

Galois Connections

Domain constructors

Widening/Narrowing

AnalysisTechniques

Numerical Domains

Alias analysis

InterproceduralAnalysis

ShapeAnalysis

CEGAR

Crafting your own

Soot

From proofs to abstractions

Systematically developing

transformers

4

Previously

• Solving monotone systems via chaotic iteration

• Relating abstract semantics and concrete semantics– Galois connection– Sound abstract transformers– Partial reduction– Completeness

• Implementing transformers

5

Agenda

Question: given existing abstract interpreters (GC + transformers) can we reuse them to construct a new abstract interpreter?

• Composing abstract domains (and GCs)• Reduced product• Implementing composition of analyses

6

Composing lattices

7

Three example analyses

• Abstract states are conjunctions of constraints• Variable Equalities– VE-factoids = { x=y | x, y Var} false

VE = (2VE-factoids, , , , false, )• Constant Propagation– CP-factoids = { x=c | x Var, c Z} false

CP = (2CP-factoids, , , , false, )• Available Expressions– AE-factoids = { x=y+z | x Var, y,z VarZ} false

AE = (2AE-factoids, , , , false, )

8

Lattice combinators reminder

• Cartesian Product– L1 = (D1, 1, 1, 1, 1, 1)

L2 = (D2, 2, 2, 2, 2, 2)

– Cart(L1, L2) = (D1D2, cart, cart, cart, cart, cart)

• Disjunctive completion– L = (D, , , , , )– Disj(L) = (2D, , , , , )

• Relational Product– Rel(L1, L2) = Disj(Cart(L1, L2))

9

Cartesian product of complete lattices

• For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)

• Define the posetLcart = (D1D2, cart, cart, cart, cart, cart)as follows:– (x1, x2) cart (y1, y2) iff

x1 1 y1 andx2 2 y2

• Lemma: L is a complete lattice• Define the Cartesian constructor Lcart = Cart(L1, L2)

10

Composing Galois connections

11

Goal

• Given two Galois connections, can we combine them to form a new Galois connection?

12

Product connection: abstraction

CPVE lattice

{a=9, c=9}{c=a}{[a9, c 9]}

collecting lattice

{}

13

Product connection: concretization

CPVE lattice

{a=9}{c=a}

{[a9, c 0] [a9, c 1] [a9, c 9] ... }

collecting lattice

{}

{[a9, c 9] [a1, c 1] [a2, c 2] ... }

14

Product connection: concretization

CPVE lattice

{a=9}{c=a}

collecting lattice

{}

{[a9, c 9]}

15

Cartesian product of GCs

• GCA=(C, A, A, A)GCB=(C, B, B, B)

• Cartesian ProductGCAB = (C, AB, AB, AB)

– AB(X) = ?– AB(Y1,Y2) = ?

16

Cartesian product of GCs

• GCA=(C, A, A, A)GCB=(C, B, B, B)

• Cartesian ProductGCAB = (C, AB, AB, AB)

– AB(X) = A(X), B(X)– AB(Y1,Y2) = A(Y1) B(Y2)

17

Product vs. reduced product

18

Product vs. reduced product

CPVE lattice

{a=9}{c=a} {c=9}{c=a}

{a=9, c=9}{c=a}{[a9, c 9]}

collecting lattice

{}

19

Reduced product

• For two complete lattices L1 = (D1, 1, 1, 1, 1, 1) L2 = (D2, 2, 2, 2, 2, 2)

• Define the reduced posetD1D2 = {(d1,d2)D1D2 | (d1,d2) = (d1,d2) } L1L2 = (D1D2, cart, cart, cart, cart, cart)

20

Cartesian product transformers

• GCA=(C, A, A, A) FA[st] : A AGCB=(C, B, B, B) FB[st] : B B

• Cartesian ProductGCAB = (C, AB, AB, AB)

– AB(X) = (A(X), B(X))– AB(Y) = A(X) B(X)

• How should we define FAB[st] : AB AB ?

21

Cartesian product transformers

• GCA=(C, A, A, A) FA[st] : A AGCB=(C, B, B, B) FB[st] : B B

• Cartesian ProductGCAB = (C, AB, AB, AB)

– AB(X) = (A(X), B(X))– AB(Y) = A(X) B(X)

• How should we define FAB[st] : AB AB ?• Idea: FAB[st](a, b) = (FA[st] a, FB[st] b)• Are component-wise transformers precise?

22

Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare

– Running them separately and combining results– Running the analysis with their Cartesian product

a := 9;b := 9;c := a;

a := 9;b := 9;c := a;

CP analysis VE analysis{a=9}{a=9, b=9}{a=9, b=9, c=9}

{}{}{c=a}

23

Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare

– Running them separately and combining results– Running the analysis with their Cartesian product

CP analysis + VE analysisa := 9;b := 9;c := a;

{a=9}{a=9, b=9}{a=9, b=9, c=9, c=a}

24

Cartesian product analysis example• Abstract interpreter 1: Constant Propagation• Abstract interpreter 2: Variable Equalities• Let’s compare

– Running them separately and combining results– Running the analysis with their Cartesian product

CPVE analysisMissing

{a=b, b=c}

a := 9;b := 9;c := a;

{a=9}{a=9, b=9}{a=9, b=9, c=9, c=a}

25

Transformers for Cartesian product

• Naïve (component-wise) transformers do not utilize information from both components– Same as running analyses separately and then

combining results• Can we treat transformers from each analysis

as black box and obtain best transformer for their combination?

26

Can we combine transformers modularly?

No generic method for any abstract interpretations

27

Implementing approximate reduced product

28

Reducing values for CPVE

• X = set of CP constraints of the form x=c(e.g., a=9)

• Y = set of VE constraints of the form x=y• ReduceCPVE(X, Y) = (X’, Y’) such that

(X’, Y’) (X’, Y’)• Ideas?

29

Reducing values for CPVE

• X = set of CP constraints of the form x=c (e.g., a=9)• Y = set of VE constraints of the form x=y• ReduceCPVE(X, Y) = (X’, Y’) such that (X’, Y’) (X’, Y’)• ReduceLeft:

– if a=c X and a=b Y then add b=c to X• ReduceRight:

– If a=c and b=c X then add a=b to Y• Keep applying ReduceLeft and ReduceRight and

reductions on each domain separately until reaching a fixed-point

30

All the code you need to obtaina basic CPVE implementation

31

Implementing reduction for CPVE

32

Transformers for Cartesian product

• Do we get the best transformer by applying component-wise transformer followed by reduction?– Unfortunately, no (what’s the intuition?)

• Can we do better?– Logical Product [Gulwani and Tiwari, PLDI 2006]

33

A modular approachfor approximatingreduced product

34

Logical product--

• Idea: use equalities as common reasoning tool to pass information between two domains

• Assume A=(D,…) is an abstract domain that supports two operations: for xD– inferEqualities(x) = { a=b | (x) a=b }

returns a set of equalities between variables that are satisfied in all states given by x

– refineFromEqualities(x, {a=b}) = ysuch that• (x)=(y)• y x

35

Need to implement interface

When interface not implemented default versions of these operations are used

36

VE

37

CP

38

Implementing CP VE AE

39

Reducing Cartesian elements

40

41

Logical Product-

basically the strongest postcondition

safely abstracting the existential quantifier

42

Abstracting the existentialReduce the pair

Abstract away existential quantifier for each domain

43

Combined analysis example

44

Disjunctive completionfor path sensitivity

45

Information loss example (CP)

if (…) b := 5else b := -5

if (b>0) b := b-5else b := b+5assert b==0

{}

{b=5}

{b=-5}

{true}

{true}

{true}

can’t prove

46

Constant Propagation example

Lost all information about b at control-flow join

47

Disjunctive completion of a lattice

• For a complete lattice L = (D, , , , , )

• Define the powerset lattice L = (2D, , , , , ) = ? = ? = ? = ? = ?

• Lemma: L is a complete lattice

• L contains all subsets of D, which can be thought of as disjunctions of the corresponding predicates

• Define the disjunctive completion constructorL = Disj(L)

48

Disjunctive completion for GCs

• GCA=(C, A, C, A)• Disjunctive completion

GCP(A) = (C, P(A), P(A), P(A))– P(A)(X) = ?– P(A)(Y) = ?

49

Disjunctive completion for GCs

• GCA=(C, A, C, A)• Disjunctive completion

GCP(A) = (C, P(A), P(A), P(A))– P(A)(X) = {A({x}) | xX}– P(A)(Y) = {A(y) | yY}

• What about transformers?

50

Information loss example

if (…) b := 5else b := -5

if (b>0) b := b-5else b := b+5assert b==0

{}

{b=5}

{b=-5}

{b=5 b=-5}

{b=0}

{b=0}proved

51

Disj(CP) example

52

The base lattice CPfalse

{x=0}

true

{x=-1}{x=-2} {x=1} {x=2} ……

false

53

The disjunctive completion of CPfalse

true

false

{x=-2x=-1} {x=-2x=0} {x=-2x=1} {x=1x=2}… … …

What is the height of this lattice?

{x=0}{x=-1}{x=-2} {x=1} {x=2} ……

{x=0 x=1x=2}{x=-1 x=1x=-2}… ……

…

54

Mixing productand disjunctive completion

55

Taming disjunctive completion

• Disjunctive completion is very precise– Maintains distinction between different execution

paths– Helps handle conditions precisely– But very expensive – number of abstract states

grows exponentially in the number of conditions– May lead to non-termination

• Base analysis is less precise but terminates• How can we increase precision and avoid non-

termination?

56

Taming disjunctive completion

• Use different abstractions for different program locations– At loop heads use coarse abstraction (base)– At other points use disjunctive completion

• Termination is guaranteed (by base domain)• Precision increased inside loop body

57

With Disj(CP)

while (…) { x := x+1 if (…) b := 5 else b := -5

if (b>0) b := b-5 else b := b+5 assert b==0}

Doesn’t terminate

58

With tamed Disj(CP)

while (…) { x := x+1 if (…) b := 5 else b := -5

if (b>0) b := b-5 else b := b+5 assert b==0}

terminates

CP

Disj(CP)

What DisjunctiveDomain implements

59

DisjunctiveDomain(CP) example

60

Reducing disjunctive elements

• A disjunctive set X may contain within it an ascending chain Y=a b c…

• We only need max(Y) – remove all elements below

61

Relational product construction

62

Cartesian product example

Lost all information about b at control-flow join

63

Relational product of lattices

• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)

• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = ?

64

Relational product of lattices

• L1 = (D1, 1, 1, 1, 1, 1)L2 = (D2, 2, 2, 2, 2, 2)

• Lrel = (2D1D2, rel, rel, rel, rel, rel)as follows:– Lrel = Disj(Cart(L1, L2))

• Lemma: L is a complete lattice• What does it buy us?– How is it relative to Cart(Disj(L1), Disj(L2))?

• What about transformers?

65

Relational product of GCs

• GCA=(C, A, A, A)GCB=(C, B, B, B)

• Relational ProductGCP(AB) = (C, P(AB), P(AB), P(AB))

– P(AB)(X) = ?– P(AB)(Y) = ?

66

Relational product of GCs

• GCA=(C, A, A, A)GCB=(C, B, B, B)

• Relational ProductGCP(AB) = (C, P(AB), P(AB), P(AB))

– P(AB)(X) = {(A({x}), B({x})) | xX}– P(AB)(Y) = {A(yA) B(yB) | (yA,yB)Y}

67

Relational product example

Correlations preserved

68

Function space construction

69

Function space• GCA=(C, A, C, A)

GCB=(C, B, C, B)• Denote the set of monotone functions from A to B by AB• Define for elements of AB as follows

(a1, b1) (a2, b2) = if a1=a2 then {(a1, b1B b1)} else {(a1, b1), (a2, b2)}

• Reduced cardinal powerGCAB = (C, AB, AB, AB)

– AB(X) = {(A({x}), B({x})) | xX}– AB(Y) = {A(yA) B(yB) | (yA,yB)Y}

• Useful when A is small and B is much larger– E.g., typestate verification

Next lecture:abstract interpretation V